Redshift Cluster Logging Disabled
- Query id: 3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6
- Query name: Redshift Cluster Logging Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- CWE: 778
- URL: Github
Description¶
Make sure Logging is enabled for Redshift Cluster
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Redshift Stack
Resources:
RedshiftCluster3:
Type: AWS::Redshift::Cluster
Properties:
ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
ClusterType: !If [ SingleNode, single-node, multi-node ]
NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #'
DBName: !Sub ${DatabaseName}
IamRoles:
- !GetAtt RawDataBucketAccessRole.Arn
MasterUserPassword: !Ref MasterUserPassword
MasterUsername: !Ref MasterUsername
PubliclyAccessible: true
NodeType: dc1.large
Port: 5439
VpcSecurityGroupIds:
- !Sub ${RedshiftSecurityGroup}
PreferredMaintenanceWindow: Sun:09:15-Sun:09:45
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Redshift Stack",
"Resources": {
"RedshiftCluster4": {
"Properties": {
"NodeType": "dc1.large",
"Port": 5439,
"VpcSecurityGroupIds": [
"${RedshiftSecurityGroup}"
],
"ClusterSubnetGroupName": "RedshiftClusterSubnetGroup",
"ClusterType": [
"SingleNode",
"single-node",
"multi-node"
],
"MasterUserPassword": "MasterUserPassword",
"MasterUsername": "MasterUsername",
"PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45",
"NumberOfNodes": [
"SingleNode",
"AWS::NoValue",
"RedshiftNodeCount"
],
"DBName": "${DatabaseName}",
"IamRoles": [
"RawDataBucketAccessRole.Arn"
],
"PubliclyAccessible": true
},
"Type": "AWS::Redshift::Cluster"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Redshift Stack
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
ClusterType: !If [ SingleNode, single-node, multi-node ]
NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #'
DBName: !Sub ${DatabaseName}
IamRoles:
- !GetAtt RawDataBucketAccessRole.Arn
MasterUserPassword: !Ref MasterUserPassword
MasterUsername: !Ref MasterUsername
PubliclyAccessible: true
NodeType: dc1.large
Port: 5439
VpcSecurityGroupIds:
- !Sub ${RedshiftSecurityGroup}
PreferredMaintenanceWindow: Sun:09:15-Sun:09:45
KmsKeyId: wewewewewefsa
LoggingProperties:
BucketName: "Some bucket name"
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Redshift Stack",
"Resources": {
"RedshiftCluster2": {
"Type": "AWS::Redshift::Cluster",
"Properties": {
"IamRoles": [
"RawDataBucketAccessRole.Arn"
],
"PubliclyAccessible": true,
"NodeType": "dc1.large",
"Port": 5439,
"VpcSecurityGroupIds": [
"${RedshiftSecurityGroup}"
],
"PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45",
"ClusterType": [
"SingleNode",
"single-node",
"multi-node"
],
"NumberOfNodes": [
"SingleNode",
"AWS::NoValue",
"RedshiftNodeCount"
],
"DBName": "${DatabaseName}",
"MasterUserPassword": "MasterUserPassword",
"MasterUsername": "MasterUsername",
"KmsKeyId": "wewewewewefsa",
"ClusterSubnetGroupName": "RedshiftClusterSubnetGroup",
"LoggingProperties": {
"BucketName": "Some bucket name"
}
}
}
}
}